forked from Young-ook/terraform-aws-eks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathupdate-kubeconfig.sh
executable file
·118 lines (100 loc) · 2.4 KB
/
update-kubeconfig.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/bin/bash
# update/generate kubernetes config file to access eks cluster
set -e
CURDIR=`dirname $0`
EKS_NAME=eks
SPINNAKER_MANAGED=false
export AWS_REGION=us-east-1
export KUBECONFIG=$CURDIR/kubeconfig
function print_usage() {
echo "Usage: $0 -k <kubeconfig-path> -n(name) <eks-name> -r(region) <aws-region> -s(spinnaker-managed) <true|false>"
}
function process_args() {
if [[ $# < 1 ]]; then
print_usage
exit -1
fi
while getopts ":n:a:r:k:s:" opt; do
case $opt in
n) EKS_NAME="$OPTARG"
;;
r) AWS_REGION="$OPTARG"
;;
k) KUBECONFIG="$OPTARG"
;;
s) SPINNAKER_MANAGED="$OPTARG"
;;
\?)
>&2 echo "Unrecognized argument '$OPTARG'"
;;
esac
done
}
function init() {
if [ -e $KUBECONFIG ]; then
rm $KUBECONFIG
fi
# update kubeconfig
aws eks update-kubeconfig --name $EKS_NAME --region $AWS_REGION
if [ $SPINNAKER_MANAGED = "true" ]; then
local namespace=$EKS_NAME
local serviceaccount=spinnaker-managed
rbac $namespace $serviceaccount
minify $namespace
fi
# restrict access
chmod 600 $KUBECONFIG
}
function rbac() {
local namespace=$1
local serviceaccount=$2
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
name: $namespace
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: $serviceaccount
namespace: $namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: $serviceaccount
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: $serviceaccount
namespace: $namespace
EOF
token=$(kubectl get secret \
$(kubectl get serviceaccount $serviceaccount \
-n $namespace \
-o jsonpath='{.secrets[0].name}') \
-n $namespace \
-o jsonpath='{.data.token}' | base64 --decode)
kubectl config set-credentials $serviceaccount --token=$token
kubectl config set-context $namespace \
--cluster=$(kubectl config current-context) \
--user=$serviceaccount \
--namespace=$namespace
}
function minify () {
local context=$1
kubectl config view --raw > $KUBECONFIG.full.tmp
kubectl --kubeconfig $KUBECONFIG.full.tmp config use-context $context
kubectl --kubeconfig $KUBECONFIG.full.tmp \
config view --flatten --minify > $KUBECONFIG
rm $KUBECONFIG.full.tmp
}
# main
process_args "$@"
init
unset AWS_REGION
unset KUBECONFIG